[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Rawhide update gone awry



Steve Brueckner wrote:

I appear to have borked my SELinux installation. I wanted to experiment
with the new name_connect permission, which I read was available with the
latest rawhide kernel and selinux policy. So, in my first-ever attempt to
use rawhide, I enabled my /etc/yum.repos.d/fedora-devel.repo file and then
yum updated to the following:


No you probably just picked the wrong day to update to rawhide. I have an updated policy on ftp://people.redhat.com/dwalsh/SELinux/Fedora.
It will fix some of the problems.


But you might want to do a complete yum update to get the latest stuff (FC4/Test2 plus updates).

Dan

kernel.i686                              2.6.11-1.1267_FC4      installed
selinux-policy-targeted.noarch           1.23.12-4              installed
selinux-policy-targeted-sources.noarch   1.23.12-4              installed
selinux-policy-strict.noarch             1.23.12-4              installed
selinux-policy-strict-sources.noarch     1.23.12-4              installed
libselinux.i386                          1.23.7-3               installed
libselinux-devel.i386                    1.23.7-3               installed
libselinux-debuginfo.i386                1.23.7-3               installed
libsepol.i386                            1.5.5-2                installed
policycoreutils.i386                     1.23.6-1               installed
checkpolicy.i386                         1.23.1-1               installed
setools.i386                             2.1.0-2                installed
selinux-doc.noarch                       1.19.5-1               installed

I then did a touch /.autorelabel; reboot, then after rebooting a make
reload.  I'm using the targeted policy in permissive mode (things freeze up
when I setenforce 1).  Policy version is 19.

I get a lot of avc denied messages on boot; enough to make me think I did
something wrong with my policy update or kernel update.  Did I even go about
this the right way?  Is there anything obviously wrong with the steps I
took?  I'm running FC3, and I wasn't certain about updating to an FC4 kernel
but yum seemed to think it was OK so I went for it.  I get the same errors
when I revert to 2.6.11-1.14_FC3.

Thanks for any ideas.  My boot log is included below, with anything
non-SELinux related snipped out.

- Steve Brueckner, ATC-NY



$ dmesg
Linux version 2.6.11-1.1267_FC4 (bhcompile porky build redhat com) (gcc
version 4.0.0 20050423 (Red Hat 4.0.0-1)) #1 Mon Apr 25 19:22:44 EDT 2005
...
Security Framework v1.0.0 initialized
SELinux:  Initializing.
SELinux:  Starting in permissive mode
selinux_register_security:  Registering secondary module capability
Capability LSM initialized as secondary
...
audit: initializing netlink socket (disabled)
audit(1114514592.659:0): initialized
...
SELinux:  Registering netfilter hooks
...
security:  3 users, 6 roles, 684 types, 75 bools
security:  55 classes, 126760 rules
SELinux:  Completing initialization.
SELinux:  Setting up existing superblocks.
SELinux: initialized (dev dm-0, type ext3), uses xattr
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts
SELinux: initialized (dev mqueue, type mqueue), not configured for labeling
SELinux: initialized (dev hugetlbfs, type hugetlbfs), not configured for
labeling
SELinux: initialized (dev devpts, type devpts), uses transition SIDs
SELinux: initialized (dev eventpollfs, type eventpollfs), uses
genfs_contexts
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts
SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
SELinux: initialized (dev proc, type proc), uses genfs_contexts
SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts
SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts
audit(1114514601.951:0): avc:  denied  { use } for  path=/init dev=rootfs
ino=8 scontext=system_u:system_r:syslogd_t
tcontext=system_u:system_r:kernel_t tclass=fd
...
SELinux: initialized (dev ramfs, type ramfs), uses genfs_contexts
...
SELinux: initialized (dev hda1, type ext3), uses xattr
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
Adding 2031608k swap on /dev/VolGroup00/LogVol01.  Priority:-1 extents:1
SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses
genfs_contexts
...
audit(1114529038.066:0): avc:  denied  { read } for  name=config dev=dm-0
ino=3837327 scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:selinux_config_t tclass=file
audit(1114529038.066:0): avc:  denied  { getattr } for
path=/etc/selinux/config dev=dm-0 ino=3837327
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:selinux_config_t tclass=file
audit(1114529038.092:0): avc:  denied  { execute } for  name=restorecon
dev=dm-0 ino=1802308 scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:restorecon_exec_t tclass=file
audit(1114529038.092:0): avc:  denied  { execute_no_trans } for
path=/sbin/restorecon dev=dm-0 ino=1802308
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:restorecon_exec_t tclass=file
audit(1114529038.092:0): avc:  denied  { read } for  path=/sbin/restorecon
dev=dm-0 ino=1802308 scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:restorecon_exec_t tclass=file
audit(1114529038.093:0): avc:  denied  { search } for  name=contexts
dev=dm-0 ino=3834258 scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:default_context_t tclass=dir
audit(1114529038.093:0): avc:  denied  { search } for  name=files dev=dm-0
ino=3834262 scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:file_context_t tclass=dir
audit(1114529038.093:0): avc:  denied  { read } for  name=file_contexts
dev=dm-0 ino=3834260 scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:file_context_t tclass=file
audit(1114529038.093:0): avc:  denied  { getattr } for
path=/etc/selinux/targeted/contexts/files/file_contexts dev=dm-0 ino=3834260
scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:file_context_t
tclass=file
audit(1114529038.096:0): avc:  denied  { search } for  name=/ dev=selinuxfs
ino=232 scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:security_t tclass=dir
audit(1114529038.096:0): avc:  denied  { read write } for  name=context
dev=selinuxfs ino=5 scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:security_t tclass=file
audit(1114529038.096:0): avc:  denied  { check_context } for
scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:security_t
tclass=security
audit(1114529038.479:0): avc:  denied  { use } for  path=/init dev=rootfs
ino=8 scontext=system_u:system_r:named_t tcontext=system_u:system_r:kernel_t
tclass=fdSELinux: initialized (dev rpc_pipefs, type rpc_pipefs), uses
genfs_contexts
audit(1114529040.947:0): avc:  denied  { use } for  path=/init dev=rootfs
ino=8 scontext=system_u:system_r:howl_t tcontext=system_u:system_r:kernel_t
tclass=fd
audit(1114529043.069:0): avc:  denied  { use } for  path=/init dev=rootfs
ino=8 scontext=system_u:system_r:cupsd_config_t
tcontext=system_u:system_r:kernel_t tclass=fd
...
audit(1114529047.672:0): avc:  denied  { read } for  path=/init dev=rootfs
ino=8 scontext=system_u:system_r:restorecon_t
tcontext=system_u:object_r:root_t tclass=file
audit(1114529050.126:0): avc:  denied  { use } for  path=/init dev=rootfs
ino=8 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:kernel_t
tclass=fdaudit(1114529052.770:0): avc:  denied  { write } for  name=etc
dev=dm-0 ino=3833857 scontext=system_u:system_r:hald_t
tcontext=system_u:object_r:etc_t tclass=dir
audit(1114529052.770:0): avc:  denied  { add_name } for  name=.fstab.hal.S
scontext=system_u:system_r:hald_t tcontext=system_u:object_r:etc_t
tclass=dir
audit(1114529052.770:0): avc:  denied  { create } for  name=.fstab.hal.S
scontext=system_u:system_r:hald_t tcontext=system_u:object_r:etc_t
tclass=file
audit(1114529053.042:0): avc:  denied  { write } for  name=media dev=dm-0
ino=8552449 scontext=system_u:system_r:hald_t
tcontext=system_u:object_r:mnt_t tclass=dir
audit(1114529053.042:0): avc:  denied  { remove_name } for  name=cdrecorder
dev=dm-0 ino=8552450 scontext=system_u:system_r:hald_t
tcontext=system_u:object_r:mnt_t tclass=dir
audit(1114529053.042:0): avc:  denied  { rmdir } for  name=cdrecorder
dev=dm-0 ino=8552450 scontext=system_u:system_r:hald_t
tcontext=system_u:object_r:mnt_t tclass=dir
audit(1114529053.157:0): avc:  denied  { write } for  path=/etc/.fstab.hal.S
dev=dm-0 ino=3837358 scontext=system_u:system_r:hald_t
tcontext=system_u:object_r:etc_t tclass=file
audit(1114529053.157:0): avc:  denied  { remove_name } for
name=.fstab.hal.S dev=dm-0 ino=3837358 scontext=system_u:system_r:hald_t
tcontext=system_u:object_r:etc_t tclass=dir
audit(1114529053.157:0): avc:  denied  { rename } for  name=.fstab.hal.S
dev=dm-0 ino=3837358 scontext=system_u:system_r:hald_t
tcontext=system_u:object_r:etc_t tclass=file
audit(1114529053.157:0): avc:  denied  { unlink } for  name=fstab dev=dm-0
ino=3834553 scontext=system_u:system_r:hald_t
tcontext=system_u:object_r:etc_t tclass=file
audit(1114529053.179:0): avc:  denied  { write } for  name=rhgb-socket
dev=ramfs ino=4929 scontext=system_u:system_r:init_t
tcontext=system_u:object_r:ramfs_t tclass=sock_file
audit(1114529053.179:0): avc:  denied  { connectto } for
path=/etc/rhgb/temp/rhgb-socket scontext=system_u:system_r:init_t
tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket
audit(1114529053.577:0): avc:  denied  { getattr } for
path=/dev/VolGroup00/LogVol00 dev=tmpfs ino=5807
scontext=system_u:system_r:hald_t tcontext=system_u:object_r:device_t
tclass=lnk_file
audit(1114529053.653:0): avc:  denied  { add_name } for  name=cdrecorder
scontext=system_u:system_r:hald_t tcontext=system_u:object_r:mnt_t
tclass=dir
audit(1114529053.654:0): avc:  denied  { create } for  name=cdrecorder
scontext=system_u:system_r:hald_t tcontext=system_u:object_r:mnt_t
tclass=dir
audit(1114529053.674:0): avc:  denied  { getattr } for
path=/dev/mapper/VolGroup00-LogVol00 dev=tmpfs ino=1128
scontext=system_u:system_r:hald_t tcontext=system_u:object_r:device_t
tclass=blk_file
audit(1114529053.674:0): avc:  denied  { getattr } for  path=/dev/pts
dev=devpts ino=1 scontext=system_u:system_r:hald_t
tcontext=system_u:object_r:devpts_t tclass=dir
...
audit(1114529081.451:0): avc:  denied  { getattr } for  path=/dev/pts
dev=devpts ino=1 scontext=system_u:system_r:hald_t
tcontext=system_u:object_r:devpts_t tclass=dir

--
fedora-selinux-list mailing list
fedora-selinux-list redhat com
http://www.redhat.com/mailman/listinfo/fedora-selinux-list




--



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]